File: rfc2845.txt

package info (click to toggle)
doc-rfc 20181229-2
  • links: PTS, VCS
  • area: non-free
  • in suites: buster
  • size: 570,944 kB
  • sloc: xml: 285,646; sh: 107; python: 90; perl: 42; makefile: 14
file content (843 lines) | stat: -rw-r--r-- 32,272 bytes parent folder | download | duplicates (9)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843






Network Working Group                                             P. Vixie
Request for Comments: 2845                                             ISC
Category: Standards Track                                   O. Gudmundsson
Updates: 1035                                                     NAI Labs
                                                           D. Eastlake 3rd
                                                                  Motorola
                                                             B. Wellington
                                                                   Nominum
                                                                  May 2000


          Secret Key Transaction Authentication for DNS (TSIG)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   This protocol allows for transaction level authentication using
   shared secrets and one way hashing.  It can be used to authenticate
   dynamic updates as coming from an approved client, or to authenticate
   responses as coming from an approved recursive name server.

   No provision has been made here for distributing the shared secrets;
   it is expected that a network administrator will statically configure
   name servers and clients using some out of band mechanism such as
   sneaker-net until a secure automated mechanism for key distribution
   is available.

1 - Introduction

   1.1. The Domain Name System (DNS) [RFC1034, RFC1035] is a replicated
   hierarchical distributed database system that provides information
   fundamental to Internet operations, such as name <=> address
   translation and mail handling information.  DNS has recently been
   extended [RFC2535] to provide for data origin authentication, and
   public key distribution, all based on public key cryptography and
   public key based digital signatures.  To be practical, this form of




Vixie, et al.               Standards Track                     [Page 1]

RFC 2845                        DNS TSIG                        May 2000


   security generally requires extensive local caching of keys and
   tracing of authentication through multiple keys and signatures to a
   pre-trusted locally configured key.

   1.2. One difficulty with the [RFC2535] scheme is that common DNS
   implementations include simple "stub" resolvers which do not have
   caches.  Such resolvers typically rely on a caching DNS server on
   another host.  It is impractical for these stub resolvers to perform
   general [RFC2535] authentication and they would naturally depend on
   their caching DNS server to perform such services for them.  To do so
   securely requires secure communication of queries and responses.
   [RFC2535] provides public key transaction signatures to support this,
   but such signatures are very expensive computationally to generate.
   In general, these require the same complex public key logic that is
   impractical for stubs.  This document specifies use of a message
   authentication code (MAC), specifically HMAC-MD5 (a keyed hash
   function), to provide an efficient means of point-to-point
   authentication and integrity checking for transactions.

   1.3. A second area where use of straight [RFC2535] public key based
   mechanisms may be impractical is authenticating dynamic update
   [RFC2136] requests.  [RFC2535] provides for request signatures but
   with [RFC2535] they, like transaction signatures, require
   computationally expensive public key cryptography and complex
   authentication logic.  Secure Domain Name System Dynamic Update
   ([RFC2137]) describes how different keys are used in dynamically
   updated zones.  This document's secret key based MACs can be used to
   authenticate DNS update requests as well as transaction responses,
   providing a lightweight alternative to the protocol described by
   [RFC2137].

   1.4. A further use of this mechanism is to protect zone transfers.
   In this case the data covered would be the whole zone transfer
   including any glue records sent.  The protocol described by [RFC2535]
   does not protect glue records and unsigned records unless SIG(0)
   (transaction signature) is used.

   1.5. The authentication mechanism proposed in this document uses
   shared secret keys to establish a trust relationship between two
   entities.  Such keys must be protected in a fashion similar to
   private keys, lest a third party masquerade as one of the intended
   parties (forge MACs).  There is an urgent need to provide simple and
   efficient authentication between clients and local servers and this
   proposal addresses that need.  This proposal is unsuitable for
   general server to server authentication for servers which speak with
   many other servers, since key management would become unwieldy with





Vixie, et al.               Standards Track                     [Page 2]

RFC 2845                        DNS TSIG                        May 2000


   the number of shared keys going up quadratically.  But it is suitable
   for many resolvers on hosts that only talk to a few recursive
   servers.

   1.6. A server acting as an indirect caching resolver -- a "forwarder"
   in common usage -- might use transaction-based authentication when
   communicating with its small number of preconfigured "upstream"
   servers.  Other uses of DNS secret key authentication and possible
   systems for automatic secret key distribution may be proposed in
   separate future documents.

   1.7. New Assigned Numbers

      RRTYPE = TSIG (250)
      ERROR = 0..15 (a DNS RCODE)
      ERROR = 16 (BADSIG)
      ERROR = 17 (BADKEY)
      ERROR = 18 (BADTIME)

   1.8. The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED",  and
   "MAY" in this document are to be interpreted as described in [RFC
   2119].

2 - TSIG RR Format

   2.1 TSIG RR Type

   To provide secret key authentication, we use a new RR type whose
   mnemonic is TSIG and whose type code is 250.  TSIG is a meta-RR and
   MUST not be cached.  TSIG RRs are used for authentication between DNS
   entities that have established a shared secret key.  TSIG RRs are
   dynamically computed to cover a particular DNS transaction and are
   not DNS RRs in the usual sense.

   2.2 TSIG Calculation

   As the TSIG RRs are related to one DNS request/response, there is no
   value in storing or retransmitting them, thus the TSIG RR is
   discarded once it has been used to authenticate a DNS message.  The
   only message digest algorithm specified in this document is "HMAC-
   MD5" (see [RFC1321], [RFC2104]).  The "HMAC-MD5" algorithm is
   mandatory to implement for interoperability.  Other algorithms can be
   specified at a later date.  Names and definitions of new algorithms
   MUST be registered with IANA.  All multi-octet integers in the TSIG
   record are sent in network byte order (see [RFC1035 2.3.2]).






Vixie, et al.               Standards Track                     [Page 3]

RFC 2845                        DNS TSIG                        May 2000


   2.3. Record Format

    NAME The name of the key used in domain name syntax.  The name
         should reflect the names of the hosts and uniquely identify
         the key among a set of keys these two hosts may share at any
         given time.  If hosts A.site.example and B.example.net share a
         key, possibilities for the key name include
         <id>.A.site.example, <id>.B.example.net, and
         <id>.A.site.example.B.example.net.  It should be possible for
         more than one key to be in simultaneous use among a set of
         interacting hosts.  The name only needs to be meaningful to
         the communicating hosts but a meaningful mnemonic name as
         above is strongly recommended.

         The name may be used as a local index to the key involved and
         it is recommended that it be globally unique.  Where a key is
         just shared between two hosts, its name actually only need
         only be meaningful to them but it is recommended that the key
         name be mnemonic and incorporate the resolver and server host
         names in that order.

    TYPE TSIG (250: Transaction SIGnature)

    CLASS ANY

    TTL  0

    RdLen (variable)

    RDATA

      Field Name       Data Type      Notes
      --------------------------------------------------------------
      Algorithm Name   domain-name    Name of the algorithm
                                      in domain name syntax.
      Time Signed      u_int48_t      seconds since 1-Jan-70 UTC.
      Fudge            u_int16_t      seconds of error permitted
                                      in Time Signed.
      MAC Size         u_int16_t      number of octets in MAC.
      MAC              octet stream   defined by Algorithm Name.
      Original ID      u_int16_t      original message ID
      Error            u_int16_t      expanded RCODE covering
                                      TSIG processing.
      Other Len        u_int16_t      length, in octets, of
                                      Other Data.
      Other Data       octet stream   empty unless Error == BADTIME





Vixie, et al.               Standards Track                     [Page 4]

RFC 2845                        DNS TSIG                        May 2000


   2.4. Example

      NAME   HOST.EXAMPLE.

      TYPE   TSIG

      CLASS  ANY

      TTL    0

      RdLen  as appropriate

      RDATA

         Field Name       Contents
         -------------------------------------
         Algorithm Name   SAMPLE-ALG.EXAMPLE.
         Time Signed      853804800
         Fudge            300
         MAC Size         as appropriate
         MAC              as appropriate
         Original ID      as appropriate
         Error            0 (NOERROR)
         Other Len        0
         Other Data       empty

3 - Protocol Operation

   3.1. Effects of adding TSIG to outgoing message

   Once the outgoing message has been constructed, the keyed message
   digest operation can be performed.  The resulting message digest will
   then be stored in a TSIG which is appended to the additional data
   section (the ARCOUNT is incremented to reflect this).  If the TSIG
   record cannot be added without causing the message to be truncated,
   the server MUST alter the response so that a TSIG can be included.
   This response consists of only the question and a TSIG record, and
   has the TC bit set and RCODE 0 (NOERROR).  The client SHOULD at this
   point retry the request using TCP (per [RFC1035 4.2.2]).

   3.2. TSIG processing on incoming messages

   If an incoming message contains a TSIG record, it MUST be the last
   record in the additional section.  Multiple TSIG records are not
   allowed.  If a TSIG record is present in any other position, the
   packet is dropped and a response with RCODE 1 (FORMERR) MUST be
   returned.  Upon receipt of a message with a correctly placed TSIG RR,
   the TSIG RR is copied to a safe location, removed from the DNS



Vixie, et al.               Standards Track                     [Page 5]

RFC 2845                        DNS TSIG                        May 2000


   Message, and decremented out of the DNS message header's ARCOUNT.  At
   this point the keyed message digest operation is performed.  If the
   algorithm name or key name is unknown to the recipient, or if the
   message digests do not match, the whole DNS message MUST be
   discarded.  If the message is a query, a response with RCODE 9
   (NOTAUTH) MUST be sent back to the originator with TSIG ERROR 17
   (BADKEY) or TSIG ERROR 16 (BADSIG).  If no key is available to sign
   this message it MUST be sent unsigned (MAC size == 0 and empty MAC).
   A message to the system operations log SHOULD be generated, to warn
   the operations staff of a possible security incident in progress.
   Care should be taken to ensure that logging of this type of event
   does not open the system to a denial of service attack.

   3.3. Time values used in TSIG calculations

   The data digested includes the two timer values in the TSIG header in
   order to defend against replay attacks.  If this were not done, an
   attacker could replay old messages but update the "Time Signed" and
   "Fudge" fields to make the message look new.  This data is named
   "TSIG Timers", and for the purpose of digest calculation they are
   invoked in their "on the wire" format, in the following order: first
   Time Signed, then Fudge.  For example:

Field Name    Value       Wire Format         Meaning
----------------------------------------------------------------------
Time Signed   853804800   00 00 32 e4 07 00   Tue Jan 21 00:00:00 1997
Fudge         300         01 2C               5 minutes

   3.4. TSIG Variables and Coverage

   When generating or verifying the contents of a TSIG record, the
   following data are digested, in network byte order or wire format, as
   appropriate:

   3.4.1. DNS Message

   A whole and complete DNS message in wire format, before the TSIG RR
   has been added to the additional data section and before the DNS
   Message Header's ARCOUNT field has been incremented to contain the
   TSIG RR.  If the message ID differs from the original message ID, the
   original message ID is substituted for the message ID.  This could
   happen when forwarding a dynamic update request, for example.









Vixie, et al.               Standards Track                     [Page 6]

RFC 2845                        DNS TSIG                        May 2000


   3.4.2. TSIG Variables

Source       Field Name       Notes
-----------------------------------------------------------------------
TSIG RR      NAME             Key name, in canonical wire format
TSIG RR      CLASS            (Always ANY in the current specification)
TSIG RR      TTL              (Always 0 in the current specification)
TSIG RDATA   Algorithm Name   in canonical wire format
TSIG RDATA   Time Signed      in network byte order
TSIG RDATA   Fudge            in network byte order
TSIG RDATA   Error            in network byte order
TSIG RDATA   Other Len        in network byte order
TSIG RDATA   Other Data       exactly as transmitted

   The RR RDLEN and RDATA MAC Length are not included in the hash since
   they are not guaranteed to be knowable before the MAC is generated.

   The Original ID field is not included in this section, as it has
   already been substituted for the message ID in the DNS header and
   hashed.

   For each label type, there must be a defined "Canonical wire format"
   that specifies how to express a label in an unambiguous way.  For
   label type 00, this is defined in [RFC2535], for label type 01, this
   is defined in [RFC2673].  The use of label types other than 00 and 01
   is not defined for this specification.

   3.4.3. Request MAC

   When generating the MAC to be included in a response, the request MAC
   must be included in the digest.  The request's MAC is digested in
   wire format, including the following fields:

   Field        Type           Description
   ---------------------------------------------------
   MAC Length   u_int16_t      in network byte order
   MAC Data     octet stream   exactly as transmitted

   3.5. Padding

   Digested components are fed into the hashing function as a continuous
   octet stream with no interfield padding.









Vixie, et al.               Standards Track                     [Page 7]

RFC 2845                        DNS TSIG                        May 2000


4 - Protocol Details

   4.1. TSIG generation on requests

   Client performs the message digest operation and appends a TSIG
   record to the additional data section and transmits the request to
   the server.  The client MUST store the message digest from the
   request while awaiting an answer.  The digest components for a
   request are:

      DNS Message (request)
      TSIG Variables (request)

   Note that some older name servers will not accept requests with a
   nonempty additional data section.  Clients SHOULD only attempt signed
   transactions with servers who are known to support TSIG and share
   some secret key with the client -- so, this is not a problem in
   practice.

   4.2. TSIG on Answers

   When a server has generated a response to a signed request, it signs
   the response using the same algorithm and key.  The server MUST not
   generate a signed response to an unsigned request.  The digest
   components are:

      Request MAC
      DNS Message (response)
      TSIG Variables (response)

   4.3. TSIG on TSIG Error returns

   When a server detects an error relating to the key or MAC, the server
   SHOULD send back an unsigned error message (MAC size == 0 and empty
   MAC).  If an error is detected relating to the TSIG validity period,
   the server SHOULD send back a signed error message.  The digest
   components are:

      Request MAC (if the request MAC validated)
      DNS Message (response)
      TSIG Variables (response)

   The reason that the request is not included in this digest in some
   cases is to make it possible for the client to verify the error.  If
   the error is not a TSIG error the response MUST be generated as
   specified in [4.2].





Vixie, et al.               Standards Track                     [Page 8]

RFC 2845                        DNS TSIG                        May 2000


   4.4. TSIG on TCP connection

   A DNS TCP session can include multiple DNS envelopes.  This is, for
   example, commonly used by zone transfer.  Using TSIG on such a
   connection can protect the connection from hijacking and provide data
   integrity.  The TSIG MUST be included on the first and last DNS
   envelopes.  It can be optionally placed on any intermediary
   envelopes.  It is expensive to include it on every envelopes, but it
   MUST be placed on at least every 100'th envelope.  The first envelope
   is processed as a standard answer, and subsequent messages have the
   following digest components:

      Prior Digest (running)
      DNS Messages (any unsigned messages since the last TSIG)
      TSIG Timers (current message)

   This allows the client to rapidly detect when the session has been
   altered; at which point it can close the connection and retry.  If a
   client TSIG verification fails, the client MUST close the connection.
   If the client does not receive TSIG records frequently enough (as
   specified above) it SHOULD assume the connection has been hijacked
   and it SHOULD close the connection.  The client SHOULD treat this the
   same way as they would any other interrupted transfer (although the
   exact behavior is not specified).

   4.5. Server TSIG checks

   Upon receipt of a message, server will check if there is a TSIG RR.
   If one exists, the server is REQUIRED to return a TSIG RR in the
   response.  The server MUST perform the following checks in the
   following order, check KEY, check TIME values, check MAC.

   4.5.1. KEY check and error handling

   If a non-forwarding server does not recognize the key used by the
   client, the server MUST generate an error response with RCODE 9
   (NOTAUTH) and TSIG ERROR 17 (BADKEY).  This response MUST be unsigned
   as specified in [4.3].  The server SHOULD log the error.

   4.5.2. TIME check and error handling

   If the server time is outside the time interval specified by the
   request (which is: Time Signed, plus/minus Fudge), the server MUST
   generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18
   (BADTIME).  The server SHOULD also cache the most recent time signed
   value in a message generated by a key, and SHOULD return BADTIME if a
   message received later has an earlier time signed value.  A response
   indicating a BADTIME error MUST be signed by the same key as the



Vixie, et al.               Standards Track                     [Page 9]

RFC 2845                        DNS TSIG                        May 2000


   request.  It MUST include the client's current time in the time
   signed field, the server's current time (a u_int48_t) in the other
   data field, and 6 in the other data length field.  This is done so
   that the client can verify a message with a BADTIME error without the
   verification failing due to another BADTIME error.  The data signed
   is specified in [4.3].  The server SHOULD log the error.

   4.5.3. MAC check and error handling

   If a TSIG fails to verify, the server MUST generate an error response
   as specified in [4.3] with RCODE 9 (NOTAUTH) and TSIG ERROR 16
   (BADSIG).  This response MUST be unsigned as specified in [4.3].  The
   server SHOULD log the error.

   4.6. Client processing of answer

   When a client receives a response from a server and expects to see a
   TSIG, it first checks if the TSIG RR is present in the response.
   Otherwise, the response is treated as having a format error and
   discarded.  The client then extracts the TSIG, adjusts the ARCOUNT,
   and calculates the keyed digest in the same way as the server.  If
   the TSIG does not validate, that response MUST be discarded, unless
   the RCODE is 9 (NOTAUTH), in which case the client SHOULD attempt to
   verify the response as if it were a TSIG Error response, as specified
   in [4.3].  A message containing an unsigned TSIG record or a TSIG
   record which fails verification SHOULD not be considered an
   acceptable response; the client SHOULD log an error and continue to
   wait for a signed response until the request times out.

   4.6.1. Key error handling

   If an RCODE on a response is 9 (NOTAUTH), and the response TSIG
   validates, and the TSIG key is different from the key used on the
   request, then this is a KEY error.  The client MAY retry the request
   using the key specified by the server.  This should never occur, as a
   server MUST NOT sign a response with a different key than signed the
   request.

   4.6.2. Time error handling

   If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18
   (BADTIME), or the current time does not fall in the range specified
   in the TSIG record, then this is a TIME error.  This is an indication
   that the client and server clocks are not synchronized.  In this case
   the client SHOULD log the event.  DNS resolvers MUST NOT adjust any
   clocks in the client based on BADTIME errors, but the server's time
   in the other data field SHOULD be logged.




Vixie, et al.               Standards Track                    [Page 10]

RFC 2845                        DNS TSIG                        May 2000


   4.6.3. MAC error handling

   If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG),
   this is a MAC error, and client MAY retry the request with a new
   request ID but it would be better to try a different shared key if
   one is available.  Client SHOULD keep track of how many MAC errors
   are associated with each key.  Clients SHOULD log this event.

   4.7. Special considerations for forwarding servers

   A server acting as a forwarding server of a DNS message SHOULD check
   for the existence of a TSIG record.  If the name on the TSIG is not
   of a secret that the server shares with the originator the server
   MUST forward the message unchanged including the TSIG.  If the name
   of the TSIG is of a key this server shares with the originator, it
   MUST process the TSIG.  If the TSIG passes all checks, the forwarding
   server MUST, if possible, include a TSIG of his own, to the
   destination or the next forwarder.  If no transaction security is
   available to the destination and the response has the AD flag (see
   [RFC2535]), the forwarder MUST unset the AD flag before adding the
   TSIG to the answer.

5 - Shared Secrets

   5.1. Secret keys are very sensitive information and all available
   steps should be taken to protect them on every host on which they are
   stored.  Generally such hosts need to be physically protected.  If
   they are multi-user machines, great care should be taken that
   unprivileged users have no access to keying material.  Resolvers
   often run unprivileged, which means all users of a host would be able
   to see whatever configuration data is used by the resolver.

   5.2. A name server usually runs privileged, which means its
   configuration data need not be visible to all users of the host.  For
   this reason, a host that implements transaction-based authentication
   should probably be configured with a "stub resolver" and a local
   caching and forwarding name server.  This presents a special problem
   for [RFC2136] which otherwise depends on clients to communicate only
   with a zone's authoritative name servers.

   5.3. Use of strong random shared secrets is essential to the security
   of TSIG.  See [RFC1750] for a discussion of this issue.  The secret
   should be at least as long as the keyed message digest, i.e. 16 bytes
   for HMAC-MD5 or 20 bytes for HMAC-SHA1.







Vixie, et al.               Standards Track                    [Page 11]

RFC 2845                        DNS TSIG                        May 2000


6 - Security Considerations

   6.1. The approach specified here is computationally much less
   expensive than the signatures specified in [RFC2535].  As long as the
   shared secret key is not compromised, strong authentication is
   provided for the last hop from a local name server to the user
   resolver.

   6.2. Secret keys should be changed periodically.  If the client host
   has been compromised, the server should suspend the use of all
   secrets known to that client.  If possible, secrets should be stored
   in encrypted form.  Secrets should never be transmitted in the clear
   over any network.  This document does not address the issue on how to
   distribute secrets. Secrets should never be shared by more than two
   entities.

   6.3. This mechanism does not authenticate source data, only its
   transmission between two parties who share some secret.  The original
   source data can come from a compromised zone master or can be
   corrupted during transit from an authentic zone master to some
   "caching forwarder."  However, if the server is faithfully performing
   the full [RFC2535] security checks, then only security checked data
   will be available to the client.

   6.4. A fudge value that is too large may leave the server open to
   replay attacks.  A fudge value that is too small may cause failures
   if machines are not time synchronized or there are unexpected network
   delays.  The recommended value in most situation is 300 seconds.

7 - IANA Considerations

   IANA is expected to create and maintain a registry of algorithm names
   to be used as "Algorithm Names" as defined in Section 2.3.  The
   initial value should be "HMAC-MD5.SIG-ALG.REG.INT".  Algorithm names
   are text strings encoded using the syntax of a domain name.  There is
   no structure required other than names for different algorithms must
   be unique when compared as DNS names, i.e., comparison is case
   insensitive.  Note that the initial value mentioned above is not a
   domain name, and therefore need not be a registered name within the
   DNS.  New algorithms are assigned using the IETF Consensus policy
   defined in RFC 2434. The algorithm name HMAC-MD5.SIG-ALG.REG.INT
   looks like a FQDN for historical reasons; future algorithm names are
   expected to be simple (i.e., single-component) names.








Vixie, et al.               Standards Track                    [Page 12]

RFC 2845                        DNS TSIG                        May 2000


   IANA is expected to create and maintain a registry of "TSIG Error
   values" to be used for "Error" values as defined in section 2.3.
   Initial values should be those defined in section 1.7.  New TSIG
   error codes for the TSIG error field are assigned using the IETF
   Consensus policy defined in RFC 2434.

8 - References

   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
              STD 13, RFC 1034, November 1987.

   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
              Specification", STD 13, RFC 1034, November 1987.

   [RFC1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
              April 1992.

   [RFC1750]  Eastlake, D., Crocker, S. and J. Schiller, "Randomness
              Recommendations for Security", RFC 1750, December 1995.

   [RFC2104]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC-MD5:
              Keyed-MD5 for Message Authentication", RFC 2104, February
              1997.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound "Dynamic
              Updates in the Domain Name System", RFC 2136, April 1997.

   [RFC2137]  Eastlake 3rd, D., "Secure Domain Name System Dynamic
              Update", RFC 2137, April 1997.

   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
              RFC 2535, March 1999.

   [RFC2673]  Crawford, M., "Binary Labels in the Domain Name System",
              RFC 2673, August 1999.













Vixie, et al.               Standards Track                    [Page 13]

RFC 2845                        DNS TSIG                        May 2000


9 - Authors' Addresses

   Paul Vixie
   Internet Software Consortium
   950 Charter Street
   Redwood City, CA 94063

   Phone: +1 650 779 7001
   EMail: vixie@isc.org


   Olafur Gudmundsson
   NAI Labs
   3060 Washington Road, Route 97
   Glenwood, MD 21738

   Phone: +1 443 259 2389
   EMail: ogud@tislabs.com


   Donald E. Eastlake 3rd
   Motorola
   140 Forest Avenue
   Hudson, MA 01749 USA

   Phone: +1 508 261 5434
   EMail: dee3@torque.pothole.com


   Brian Wellington
   Nominum, Inc.
   950 Charter Street
   Redwood City, CA 94063

   Phone: +1 650 779 6022
   EMail: Brian.Wellington@nominum.com















Vixie, et al.               Standards Track                    [Page 14]

RFC 2845                        DNS TSIG                        May 2000


10  Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Vixie, et al.               Standards Track                    [Page 15]